arc::tests::zero_sized::clone encounters UB, will fail in Rust 1.83

Open saethlin opened this issue 1 year ago • 0 comments

I am filing this issue because this project's tests failed in a crater run for this PR: https://github.com/rust-lang/rust/pull/130251 which should land in Rust 1.83.

The problem is that this crate can (under some conditions I do not understand but are encountered by arc::tests::zero_sized::clone) apply a negative offset to a null pointer via ptr::offset, which would cause the pointer to wrap around the address space. The standard library is getting a debug assertion for such wrapping offsets. I suspect that there are other problems with ArcBlock; it looks like its pointer-returning functions are based on creating a temporary reference which creates a whole host of aliasing problems.

In any case, Miri can also be used to detect this bug today:

╰ ➤ cargo +nightly miri test arc::tests::zero_sized::clone
    Finished `test` profile [unoptimized + debuginfo] target(s) in 0.02s
     Running unittests src/lib.rs (target/miri/x86_64-unknown-linux-gnu/debug/deps/pen_ffi-222e70836f70fa68)

running 1 test
test arc::tests::zero_sized::clone ... error: Undefined Behavior: out-of-bounds pointer arithmetic: expected a pointer to the end of 8 bytes of memory, but got a null pointer
   --> src/arc/arc_block.rs:65:19
    |
65  |         (unsafe { (self.pointer as *const usize).offset(-1) }) as *const ArcInner
    |                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ out-of-bounds pointer arithmetic: expected a pointer to the end of 8 bytes of memory, but got a null pointer
    |

Oct 07 '24 22:10 saethlin